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Abstract — We  describe  new  analytical  techniques  to  help 
mitigate  the  disruptions  to  electric  power  grids  caused  by  terrorist 
attacks.  New  bilevel  mathematical  models  and  algorithms  identify 
critical  system  components  (e.g.,  transmission  lines,  generators, 
transformers)  by  creating  maximally  disruptive  attack  plans  for 
terrorists  assumed  to  have  limited  offensive  resources.  We  report 
results  for  standard  reliability  test  networks  to  show  that  the  tech¬ 
niques  identify  critical  components  with  modest  computational 
effort. 

Index  Terms — Homeland  security,  interdiction,  power  flow. 


I.  Introduction 

LECTRIC  power  systems  are  critical  to  any  country’s 
economy  and  security.  In  the  United  States,  the  system’s 
vulnerability  to  physical  disruptions  from  natural  disasters  and 
other  causes  has  long  been  recognized  [1].  This  vulnerability 
has  increased  in  recent  years  because  infrastructure  has  not 
expanded  as  quickly  as  demand  has,  thereby  reducing  the 
system’s  “cushion”  against  failed,  destroyed,  or  otherwise  un¬ 
available  system  components  [2].  The  threat  of  human  attacks 
on  the  system  has  become  more  serious,  too.  The  Committee 
on  Science  and  Technology  for  Countering  Terrorism  [3]  states 
the  problem  succinctly:  “The  nation’s  electric  power  systems 
must  clearly  be  made  more  resilient  to  terrorist  attack.”  To  help 
reach  this  goal,  this  paper  describes  new  bilevel  optimization 
models  and  solution  techniques  for  analyzing  the  security  and 
resilience  of  electrical  power  grids  against  disruptions  caused 
by  terrorist  attacks.  (These  techniques  could  also  help  analyze 
a  system’s  susceptibility  to  natural  disasters,  but  we  do  not 
study  this  issue  explicitly.) 

We  propose  techniques  to  identify  critical  sets  of  a  power 
grid’s  components,  e.g.,  generators,  transmission  lines,  and 
transformers,  by  identifying  maximally  disruptive,  coordinated 
(nearly  simultaneous)  attacks  on  a  grid,  which  a  terrorist 
group  might  undertake.  By  studying  how  to  attack  power 
grids,  we  will  ultimately  understand  how  to  make  them  less 
vulnerable.  We  report  results  for  our  techniques  applied  to 
reliability-benchmark  networks. 

We  search  for  optimal  attacks,  i.e.,  a  set  of  attacks  that  causes 
the  largest  possible  disruption  given  posited  offensive  resources. 
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By  considering  the  largest  possible  disruptions,  our  proposed 
protection  plans  will  be  appropriately  conservative.  Actual  ter¬ 
rorist  “resources”  will  always  be  uncertain,  so  our  techniques 
must  be  fast  enough  to  quickly  analyze  a  wide  range  of  prob¬ 
able  scenarios.  We  concern  ourselves  only  with  physical  at¬ 
tacks  on  the  power  grid  and  neglect  the  issue  of  “cyber- attacks” 
on  the  controlling  Supervisory  Control  and  Data  Acquisition 
(SCADA)  infrastructure.  The  implicit  assumption  is  that  the 
SCADA  infrastructure  has  been  hardened.  A  discussion  of  the 
issues  for  reliable  communication  in  this  context  is  presented  in 

[4]. 

The  rest  of  this  paper  is  organized  as  follows:  Section  II  de¬ 
scribes  the  mathematical  formulation  of  our  models  and  de¬ 
scribes  procedures  to  solve  them.  Section  III  reports  results  of 
those  models  and  algorithms  applied  to  two  IEEE  reliability  test 
systems.  Section  IV  provides  conclusions  and  points  out  direc¬ 
tions  for  future  research. 

II.  Approach 

A.  Overview 

Our  approach  to  identifying  critical  system  components  first 
develops  a  network-interdiction  model  [5]  to  represent  the 
optimal- attack  problem  that  a  terrorist  group  might  face.  This 
model  is  a  max-min  (Mm)  problem 

(Mm)  maxminc^p 
«ga  p 

s.t.  g(p,^)  <  b 

p  >  0. 

An  interdiction  plan  is  represented  by  the  binary  vector  S, 
whose  A:th  entry  6k  is  1  if  component  k  of  the  system  is  attacked 
and  is  0  otherwise.  For  a  given  plan,  the  inner  problem  is  an 
optimal  power-flow  model  [6,  p.  5 14]  that  minimizes  generation 
costs  plus  the  penalty  associated  with  unmet  demand,  together 
denoted  by  c^p.  Here,  p  represents  power  flows,  generation 
outputs,  phase  angles  and  “unmet  demand,”  i.e.,  the  amount  of 
load  shed;  c  represents  linearized  generation  costs,  and  the  costs 
of  unmet  demand.  The  outer  maximization  chooses  the  most 
disruptive,  resource-constrained  interdiction  plan  ^  G  A,  where 
A  is  a  discrete  set  representing  attacks  that  a  terrorist  group 
might  be  able  to  carry  out.  In  this  model,  g  corresponds  to  a 
set  of  functions  that  are  nonlinear  in  (p,  ^).  The  inner  problem 
involves  a  simplified  optimal  power- flow  model,  with  constraint 
functions  g(p,  6)  that  are,  however,  linear  in  p  for  a  fixed  6  =  8. 
The  model  extends  easily  to  handle  the  cost  of  repairs. 
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For  simplicity,  we  first  describe  a  power- flow  model  that  min¬ 
imizes  the  instantaneous  cost  of  system  operation,  including 
unmet  demand,  measured  in  $/h.  Power  disruptions  resulting 
from  cascading  outages  immediately  after  attack  are  ignored, 
so  we  are  actually  measuring  cost  after  initial  restoration  of  out- 
aged  but  undamaged  equipment.  Later  in  the  paper  we  consider 
the  cost  of  unmet  demand  after  the  initial  restoration,  recog¬ 
nizing  that  this  cost  will  be  changing  over  time  as  damaged 
equipment  is  repaired  following  an  attack. 

The  remainder  of  this  section  explains  the  basic  mathemat¬ 
ical  models  and  algorithms  our  research  has  developed.  We  first 
summarize  our  DC  approximation  of  the  AC  power-flow  model, 
and  then  show  how  to  incorporate  that  approximation  as  part 
of  an  interdiction  model.  Finally,  we  introduce  a  heuristic  al¬ 
gorithm  for  solving  the  combined  power-flow  and  interdiction 
model. 

B.  Power-Flow  Model 

We  approximate  active  power  flows  with  a  DC  model,  de¬ 
noted  DC-OPF  (DC-Optimal  Power  Flow),  which  neglects  re¬ 
active  power  effects  and  nonlinear  losses.  This  approximation 
is  normally  acceptable  in  the  context  of  long-term,  “coarse¬ 
grained”  security  analysis  [6,  p.  419].  In  the  eventual  min-max 
interdiction  model,  DC-OPF  will  be  modified  through  a  set  of 
interdiction  variables. 


Indices  and  Index  Sets: 


i  e  I 

buses; 

gCG 

generating  units; 

1  G  L 

transmission  lines; 

CG  C 

consumer  sectors; 

s  G  S 

substations; 

i  G  Is 

buses  at  substation  s; 

9  C  Gi 

generating  units  connected  to  bus  r. 

1  G  Lf 

lines  connected  to  bus  L 

1  G 

lines  connected  to  substation  s  (including 
transformers,  which  are  represented  by  lines); 

V  G 

lines  1'  1  running  in  parallel  to  line  1. 

Parameters  (units): 

o(l),  d(l) 

origin  and  destination  buses  of  line  Z;  more 
than  one  line  with  the  same  o(Z),  d{l)  may 
exist; 

Ka) 

bus  for  generator  g,  i.e.,  g  G  Gi(g); 

die  . 

load  of  consumer  sector  c  at  bus  i  (MW); 

-pLxne 

-j^Gen 

transmission  capacity  for  line  1  (MW); 

maximum  output  from  generator  g  (MW); 

n,  xi 

resistance,  reactance  of  line  Z(fZ).  (We 
assume  xi  r^);  series  susceptance  is 

Bi  =  xi/{rf  +  xf); 

hg 

generation  cost  for  unit  g  ($/MWh); 

fic 

load-shedding  cost  for  customer  sector  c  at  bus 
i  ($/MWh). 

Decision  Variables  (Units): 

ryGen 

^9 

generation  from  unit  g  (MW); 

pLine 

power  flow  on  line  1  (MW); 

si 

load  shed  by  customer  sector  c  at  bus  i  (MW); 

o^ 

phase  angle  at  bus  i  (radians). 
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Formulation  of  DC-OPF:  (Remark:  All  units  above  are  con¬ 
verted  into  per-unit  values  for  a  base  load  of  100  MW.) 

min  V  +  Yy  (DC.O) 

pGen  pLine  S  Q  ^  ^  Z—/  Z—/ 

’  ’  ’  5  i  c 


subject  to: 

V/  (DC.l) 

ypy-  Y  pLine^  E  pLine 
9  l\o{l)=i  l\d{l)=i 

=  Yidic-S,,)  fi  (DC.2) 

C 

_  pUne  ^  pLine  <  ^  ^ 

0  <  P®®”  <  Pg  V  g  (DC.4) 

0  <  S'ic  <  die  V  i,  c.  (DC. 5) 


The  objective  of  DC-OPF  (DC.O)  is  to  minimize  generating 
plus  shedding  costs  measured  in  $/h.  Constraints  (DC.l)  ap¬ 
proximate  active  power  flows  on  the  lines.  Constraints  (DC.2) 
maintain  power  balance  at  the  buses.  Constraints  (DC. 3)  and 
(DC.4)  set  maximum  line  power  flows  and  generating-unit  out¬ 
puts.  Minimum  power  outputs  are  set  to  zero  for  all  generating 
units  for  simplicity  here,  but  extensions  to  nonzero  minima  are 
straight-forward.  Constraints  (DC. 5)  state  that  load  shedding 
cannot  exceed  demand.  A  version  of  DC-OPF  will  be  a  sub¬ 
problem  of  the  interdiction  model  described  next. 

C.  Interdiction  Model 

“The  interdictor”  in  our  model,  a  group  of  terrorists,  will 
make  a  coordinated  set  of  resource-constrained  interdictions  (at¬ 
tacks)  on  the  power  grid.  We  make  the  following  assumptions 
on  the  effect  of  each  interdiction. 

•  Line  interdiction:  All  lines  running  physically  in  parallel 
at  the  point  of  an  attack  are  opened.  (Typically,  these  lines 
are  mounted  on  the  same  towers,  and  an  attack  on  one  is 
an  attack  on  all.) 

•  Transformer  interdiction:  The  line  representing  the  trans¬ 
former  is  opened. 

•  Generator  interdiction:  The  generator  is  disconnected 
from  the  grid. 

•  Bus  interdiction:  All  lines,  generation,  and  load  connected 
to  the  bus  are  disconnected. 

•  Substation  interdiction:  All  buses  at  the  substation  are  dis¬ 
connected;  this  triggers  the  corresponding  bus-interdiction 
effects  just  described. 

Terrorist  resource  constraints  can  accommodate  information 
from  intelligence  sources,  whether  it  is  specific  as  we  shall  as¬ 
sume,  or  generic,  such  as  “any  three  attacks  might  happen.”  For 
demonstration  purposes,  we  model  this  feature  through  a  simple 
knapsack  constraint. 

Additional  Sets  and  Parameters  Required: 

G*  C  G,  L*  C  L,  I*  C  I,  S*  C  S  interdictable  genera¬ 
tors,  lines,  buses,  and 
substations,  respec¬ 
tively.  These  are  “inter¬ 
dictable  components.” 
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M 


Interdiction  Variables: 

^Gen  ^Line  ^Bus  ^Sub 


Formulation  of  I-DC-OPF: 


resource  required  to  in¬ 
terdict  generator  g,  line 
I,  bus  i,  and  substation 
s,  respectively, 
total  interdiction  re¬ 
source  available  to  ter¬ 
rorists. 

binary  variables  that 
take  the  value  1  if  gen¬ 
erator  g,  line  I,  bus  i 
or  substation  s,  respec¬ 
tively,  are  interdicted, 
and  are  0  otherwise. 


max 


^Line 


^Bus  ^Sub-^ 


(i.o) 


subject  to: 


j^LinegLine 

geG*  leL* 


+  Y  +  Y  <  M. 


(i.i) 


All  variables  8  are  binary,  but  are  fixed  to  0  if  not  associated 
with  G*,L*,I*,  or  S*.  (1.2) 


And  where 

^^^Gen  ^Line  ^Bus  ^Sub-^ 

=  min  V  (®C.O) 

pGen  pLine  Q  Q  *  ^  ^  ^  ^ 

’  ’  ’  S  i  c 

subject  to: 

(Note:  Nonlinear  constraints  in  8  are  used  for  conciseness 
below;  linear  replacements  are  straightforward.) 

-  Bail))  (1  -  (l  -  )  ( 

n  n  vz 

-yLine  _|_  ^  ^  pLine 

l\d(l)=i 

-  ^  ^  (^2C  *^2c)  ^ 


E  Pi 

g  l\o(l)=i 


'  1  _  xBus 

(IDC.l) 


(IDC.2) 


-  Pf*""  (1  -  (l  -  (l  - 


s\l£LS^^ 


^  pLine  ^  pLine 


n  (1 

0  <  pf  < 

0  ^  p2c  —  die  V  C. 


n  VZ  (IDC.3) 

(l-pf“f)(l-^fppf”  Vg 


(IDC.4) 

(IDC.5) 


I-DC-OPF  maximizes  generation  costs  plus  load-shedding 
costs,  which  we  refer  to  as  “disruption.”  (A  more  intuitive 


definition  would  also  subtract  nominal  generation  cost,  but  this 
is  a  constant  factor  we  shall  ignore.)  Disruption  is  evaluated 
through  the  inner  minimization  problem  that  consists  of  the 
power-flow  model  DC-OPF  with  interdicted  components 
removed.  At  the  outer  level,  (1.1)  reflects  the  terrorists’  options 
to  interdict  different  combinations  of  components  in  the  grid 
without  exceeding  their  resources.  Restrictions  (1.2)  define 
terrorist  actions  as  binary  variables  and  ensure  noninterdiction 
of  certain  grid  components  (e.g.,  hardened  components). 

Equations  (IDC.1)-(IDC.5)  are  analogs  of  (DC.1)-(DC.5). 
Here,  however,  the  components  that  have  been  interdicted,  di¬ 
rectly  or  indirectly,  are  removed  from  the  equations  through  the 
binary  interdiction  variables.  For  example,  if  some  line  Z  is  con¬ 
nected  to  an  interdicted  substation  s,  i.e.,  =  1,  then  con¬ 
straints  (IDC.l)  and  (IDC.3)  for  line  Z  yield  =  0. 

The  computational  challenge  of  I-DC-OPF  stems  from  the 
max-min  structure  of  the  problem.  The  optimal  objective  value 
of  the  linearized  version  of  the  inner  minimization,  as  a  func¬ 
tion  of  continuous  8,  is  convex.  Hence,  I-DC-OPF  involves  the 
maximization  of  a  convex  function,  which  is  usually  a  difficult 
task. 

D.  Interdiction  Algorithm 

Future  research  will  investigate  the  conversion  of  I-DC-OPF 
to  a  linear  mixed-integer  program  which  could  be  solved  di¬ 
rectly  or  through  decomposition  [7].  At  this  juncture,  we  have 
devised  a  decomposition-based  heuristic  to  obtain  acceptable  in¬ 
terdiction  plans  (for  the  terrorists),  although  not  necessarily  op¬ 
timal  ones. 

The  algorithm  begins  by  solving  DC-OPF,  “the  subproblem,” 
assuming  no  attacks.  The  result  is  an  optimal  power  flow  for 
normal  operations,  a  flow  that  should  minimize  generation  costs 
without  shedding  any  load.  The  power-flow  pattern  is  used  to 
assign  relative  values  (see  below)  to  all  the  components  of  the 
power  grid.  Next,  the  algorithm  solves  a  “master  problem”  to 
identify  an  interdiction  plan  that  maximizes  the  estimated  value 
of  interdicted  assets  while  not  exceeding  available  interdiction 
resources.  With  this  plan,  the  constraints  of  DC-OPF  are  modi¬ 
fied  and  the  new  subproblem  solved.  The  result  is  a  power  flow 
that  minimizes  generation  costs  plus  the  penalty  associated  with 
load  shedding,  given  the  new  interdictions.  Typically,  some  load 
will  be  shed  in  the  new  solution  since  valuable  assets  have  been 
removed  from  the  grid. 

The  process  continues  by  finding  alternative  interdiction 
plans  and  by  evaluating  load  shedding  for  each  of  them.  This 
algorithm  may  be  viewed  as  a  heuristic  version  of  Benders 
decomposition  [7]  to  solve  the  bilevel  program,  I-DC-OPF. 
The  master  problem  incorporates  super-valid  inequalities 
(constraints  that  eliminate  some  solutions,  but  not  all  optimal 
ones,  unless  an  optimal  solution  has  already  been  identified 
[5])  to  avoid  repeating  solutions.  We  next  provide  details  of  the 
two  models  required  in  the  decomposition  algorithm. 

Subproblem:  DC-OPF  for  a  Specific  Interdiction  Plan.  As¬ 
sume  that  at  iteration  t  of  our  algorithm,  a  specific  interdic- 
tion  plan  d=(o  ,o  ,0  ,o  lis  given.  The 

power-flow  model  DC-OPF(^  ),  (IDC.0)-(IDC.5),  forms  the 
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subproblem  and  its  solution  yields  objective  value  7  )  = 

(^Gen,t  '^Sub^tX 

8  ,0  ,8  ,8  1  along  with  power  flows,  gen¬ 

eration  and  unmet  demand,  which  are  represented  by  P*  = 

^pLine,t  pGen,t  gt 

Value  estimates: 

The  solution  P*  =  S*,  ^  ^ ,  provided  hy 

DC-OPF  ^ ,  serves  to  construct  estimates  of  the  attractive¬ 
ness  or  “value^’  of  components  for  further  interdiction.  To  deter¬ 
mine  these  estimates,  we  define  a  set  of  parameters  which  repre¬ 
sent,  essentially,  estimated  coefficients  for  a  “Benders  cut”  that 
will  be  added  to  the  master  problem.  (In  this  heuristic,  a  cut,  or  a 
set  of  aggregated  cuts,  is  added  to  the  master-prohlem  objective 
function  rather  than  being  added  as  a  constraint;  the  super-valid 
inequalities  take  the  place  of  cuts  that  build  up  from  iteration  to 
iteration.)  We  first  compute 


TpOut^t  \  ^  tiL 

-  /  .  M 


AP^Line^Q 


+  E  Pi 


flow  out  of  bus  i 


jpMet,t  _  ^  supplied  to  bus  i. 


These  totals  are  then  used  to  compute: 


yGen,t  ^^GenpGen,t 


■^Lin&^t  _ ^Line  pLine^t  ^  ^  pLine^t 


/■Bus,t  _  Bus  (  rpMet,t  .  jpOut^t 


ySub,t  _  ^Sub  pLine,t  y  ^ 


The  weights  and  are  specified  hy 

the  user  to  reflect  the  relative  importance  of  each  type  of  com¬ 
ponent.  Experience  indicates  that  the  algorithm  is  more  efficient 
when  using  weights  that  provide  higher  incentives  for  attacks  on 
buses  and  substations  than  on  individual  lines  and  generators, 
e.g.,  =  2,  =  5,  =  1,  =  5. 

We  have  found  that  the  following  modifications  to  the  defi¬ 
nition  of  value  are  useful,  too:  (a)  The  value  for  a  component 
defined  above  is  divided  by  the  amount  of  resource  required  to 
interdict  that  component,  to  reflect  value  per  unit  of  effort,  (b) 
a  minimum  value  £  >  0  is  always  enforced,  for  reasons  ex¬ 
plained  below,  and  (c)  a  running  average  of  component  values 
is  used  rather  just  the  current  iteration’s  values.  Without  the  run¬ 
ning  average,  if  the  power  flow  through  a  currently  interdicted 
component  is  null,  the  asset  will  be  unattractive  in  the  immedi¬ 
ately  following  iteration.  This  is  counter-intuitive.  (The  running 
average  could  he  computed  in  a  variety  of  ways,  but  we  use  a 
simple  arithmetic  average  over  all  iterations.) 


Master  Problem:  Finding  a  Valuable  Interdiction  Plan: 
Assume  that  a  set  of  estimated  values  for  each  component  of  the 
grid,  V*  =  has  been  calcu¬ 

lated  at  iteration  f;  and,  define  the  vector  of  previously  generated 
interdiction  plans  A*  =  , . . . ,  5  ^ .  The  interdiction  master 

problem  is  then: 


The  interdiction  master 


MP(V*,A*):  max  V  F' 

^Gen  ^Line  •  ^  ^ 

£Bus  ^gSub 


rGen,t  cGen 
9  ^9 


+  E  +  E  ""  +  E 


Suh.t  cSuh 


subject  to: 


Eqs.  (I.l)-(1.2)  replacing  8  with  8'  (MP.1)-(MP.2) 


cGen  I  cBus 


<  1  v^eG*,  iel* 


gpne  gpus  <  ^  V  z  G  Li  n  L*,  i  e  I* 

gUne  ^  y  ^  j^Par  p  ^  l* 


<1  V i  G  L  n  r,  S  G  S* 
gpne  gsub  <  ^  V  Z  G  n  L*,  S  G  S* 


^Gen,t'  _  ^Gen' 


9eG*\ 

^Gen,t' 


tLine.t'  ^ 


*ei*| 

cBus.t'  - 
o .  =1 


(MP.3) 

(MP.4) 

(MRS) 

(MP.6) 

(MP.7) 


+  E  ^  yt'  <t.  (MP.8) 


The  solution  to  MP(V*,  A*)  maximizes  the  estimated  value 
of  interdicted  grid  components.  Constraints  (MP3)-(MP7) 
serve  the  following  purposes,  respectively:  Interdict  a  generator 
or  the  bus  it  is  connected  to,  but  not  both;  interdict  a  line  or 
the  bus  it  is  connected  to,  but  not  both;  if  two  lines  run  in 
parallel,  interdict  one  line  or  the  other,  but  not  both  (in  the 
latter  case,  the  interdiction  of  both  lines  simultaneously  is 
actually  represented  by  a  single  variable);  interdict  a  bus  or  the 
substation  it  belongs  to,  but  not  both;  and,  interdict  a  line  or 
the  substation  it  is  connected  to,  but  not  both.  These  constraints 
incorporate  structural  information  about  the  system  that  the 
linear  objective  function  cannot.  Specifically,  the  constraints 
ensure  that  no  system  components  are  interdicted  that  are 
indirectly  interdicted  by  attacks  on  other  components.  Finally, 
constraints  (MP.8)  ensure  that  the  interdiction  plan  chosen  at 
the  incumbent  iteration  is  different  from  all  plans  from  previous 
iterations.  These  constraints  assume  that  the  optimal  objective 
of  the  master  problem  always  consumes  a  maximal  amount 
of  resource  (i.e.,  insufficient  resource  remains  to  interdict  any 
additional  components).  This  is  ensured  by  requiring  every 
component  maintain  a  minimum  allowable  value,  e  >  0. 
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Let  8  = 


/ ■^Subyt-\-l 

0  ,0  ,0  ,0 


note  the  solution  to  MP  ( V* ,  A* ) .  The  vector  6  is  used  in  the 
subproblem  to  start  a  new  iteration  of  the  algorithm  described 


I-ALG:  Interdiction  Algorithm: 

Input.  Grid  data;  Interdiction  data;  T  (iteration  limit). 

Output.  0  is  a  feasible  interdiction  plan  causing  a  disruption 
with  cost  7*.  If  the  algorithm  exits  because  MP(V*,  A*)  is  in¬ 
feasible,  then  all  feasible  solutions  have  been  enumerated,  and 
/\  * 

8  is  therefore  optimal. 

Initialization: 

/''\Gen.l  'xLine,!  'xBusA  'xSub,l\ 

-  )- 

(0, 0, 0, 0)  ^initial  attack  plan).  ^ 

—  Set  8^8  (best  plan  so  far)  and  A^  <—  {5  }. 

—  Set  7*  <—  0  (cost  of  the  best  plan  so  far). 

—  Set  f  ^  1. 

Subproblem: 

—  Solve  DC-OPF(^  )  for  objective  value  'y(8  )  and  so¬ 
lution  P*  =  ^ 

—  If  'y(S  )  >  Y”  then  7*  <—  -j(S  ),  and  ^  <—  8  . 

—  If  f  =  T,  then  Print  7*)  and  halt. 

Master  problem: 

—  Compute  “value  estimates”  using  P*  ,  P  =  1 . . . ,  f 

\Tt  —  {\TGen.t  \TLine,t  \TBus,t  \TSub.t\ 


V*  =  ( V 


_  _  ^  ^  ^^Gen^t'  -^Line^t'  -^Bus,t'  '^Sub^t' 

t'  =  l  „  .st-l-l 

SolveMP(V*,A*)  for5  . 

If  MP(V*,  A*)  is  infeasible,  then  Print  (8  ,7*)  and 
halt. 

Update  A*+t  ^  A*  U  }. 

Set  f  <—  f  -f  1. 

Return  to  Subproblem. 


III.  Results 

A.  Implementation 

We  have  applied  algorithm  I-ALG  to  two  test  networks  drawn 
from  the  1996  IEEE  Reliability  Test  System  (RTS)  [8]  and  [9]. 
Tests  are  carried  out  on  a  1  GHz  personal  computer  with  1  GB 
of  RAM.  The  model  and  algorithm  are  implemented  in  GAMS, 
which  is  an  algebraic  modeling  language  for  numerical  opti¬ 
mization  problems.  GAMS  enables  easy  generation  and  ma¬ 
nipulation  of  the  subproblems  and  master  problems,  which  are 
actually  solved  with  CPLEX,  a  highly  efficient  linear-  and  in¬ 
teger-programming  code  [10]. 

We  restrict  the  number  of  iterations  to  T  =  500  for  all  prob¬ 
lems  to  limit  computation  time.  Eor  fixed  M,  the  most  difficult 
problems  require  about  200  seconds,  excluding  model-genera¬ 
tion  overhead.  About  90%  of  the  time  is  spent  solving  the  master 
problem. 

Our  model  is  driven  by  generation  and  shedding  costs.  In  the 
examples,  we  assume  a  fixed  per-unit  penalty  for  unmet  load  so 
only  a  single  customer  class  is  represented.  Shedding  costs  are 
much  higher  than  generation  costs,  so  we  present  results  only  in 
terms  of  load  shed. 


RTS1 


0  2  4  6  8  10  12  14  16  1820  22  24  26  28  30  32  34  36  38  40 

interdiction  resource  (terrorists) 

Fig.  1.  Load  shedding  for  RTSl  as  a  function  of  interdiction  resource  M 
(number  of  terrorists).  Total  load  is  2850  MW. 


RTS2 


0  2  4  6  8  10  12  14  16  18  20  22  24  26  28  30  32  34  36  38  40 

interdiction  resource  (terrorists) 


Fig.  2.  Load  shedding  for  RTS2  as  a  function  of  interdiction  resource  M.  Total 
load  is  5700  MW.  Results  are  compared  to  twice  the  load  shed  in  RTSl  with 
interdiction  resource  at  (1  /2)M. 

B.  Test-Case  Description 

The  RTS  examples  are  not  intended  to  represent  particular 
systems  but,  rather,  general  reference  grids  that  contain  most 
of  the  technologies  and  configurations  found  in  typical  power 
grids  [8].  The  cases  we  study.  One  Area  RTS-96  (“RTSl”)  and 
Two  Area  RTS-96  (“RTS2”),  are  described  in  detail  in  [8].  RTS2 
duplicates  RTSl  and  adds  three  interconnections  between  the 
duplicated  areas. 

Interdiction  data  must  be  defined  in  addition  to  grid  data. 
For  these  examples,  we  suppose  that  the  terrorists’  resources 
are  quantified  as  a  given  number  of  people:  One  person  is  re¬ 
quired  to  interdict  any  overhead  single  line  or  physically  par¬ 
allel  overhead  lines,  although  underground  cables  cannot  be  in¬ 
terdicted;  transformers  (which  are  represented  by  lines)  require 
two  people;  three  people  are  required  to  interdict  any  bus  or  sub¬ 
station;  but  generators  are  well-protected  and  cannot  be  attacked 
directly  (although  they  can  be  disconnected  from  the  grid  by  at¬ 
tacking  the  associated  bus). 

C.  Interdiction  Plans 

Figs.  1  and  2  display  the  amount  of  load  shed  in  each  grid 
when  total  interdiction  resource  M  varies  from  zero  to  forty.  The 
amount  of  load  shed  is  a  monotonically  nondecreasing  function 
of  M,  with  a  tendency  to  concavity  as  M  increases;  this  is  to  be 
expected. 

In  RTSl,  any  case  with  M  >  28  results  in  at  least  90%  of  the 
total  load  being  shed.  For  the  most  part,  RTS2  is  more  difficult 
to  interdict  when  compared  to  the  RTS  1  for  twice  the  amount 
of  interdiction  resource.  For  example,  2311  MW  are  shed  in 
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Fig.  3.  Two  interdiction  plans  (depicted  as  (i)  and  (2) )  for  RTSl  using  M  = 
6.  Total  load  is  2850  MW.  Plan  1  sheds  1258  MW  and  plan  2  sheds  1373  MW. 
The  large  “  Q>  ”  indicates  that  the  four  transformers  and  buses  in  the  substation 
are  interdicted. 

RTS  1  when  M  =  20,  whereas  only  4000  MW  are  shed  in  RTS2 
when  M  =  40.  The  interconnecting  lines  may  be  playing  an 
important  role  in  decreasing  the  impact  of  the  attacks.  However, 
we  observe  the  opposite  effect  when  M  is  small.  For  instance, 
there  is  little  disruption  that  two  terrorists  can  cause  in  RTS  1  but 
four  terrorists  cause  proportionately  more  disruption  in  RTS2 
because  they  can,  apparently,  focus  on  the  “weak  links”  of  a 
single  area.  (We  caution  that  these  observations  apply  to  this 
particular  system  and  do  not  necessarily  generalize.) 

Determining  likelihoods  for  each  of  these  scenarios  and  in¬ 
corporating  them  into  a  more  elaborate  stochastic  program  (e.g., 
[11]  and  [12])  is  possible,  but  is  beyond  the  scope  of  this  paper. 
It  is  instructive  to  compare  two  specific  scenarios,  however,  and 
we  do  this  next  for  RTSl. 

Two  near-best  plans  for  RTSl,  for  M  =  6,  are  depicted 
in  Fig.  3.  “Plan  1”  attacks  the  substation  and  three  selected 
lines,  shedding  1258  MW  (44.1%  of  the  total  load),  and  “Plan 
2”  attacks  six  selected  transmission  lines,  shedding  1373  MW 
(48.2%).  Plan  2  sheds  more  instantaneous  load,  but  we  must  ulti¬ 
mately  consider  the  total  amount  of  unsupplied  energy  while  the 
effects  of  the  attack  last.  The  115  MW  of  additional  short-term 
load  shedding  in  Plan  2  may  be  negligible  compared  to  the 
long-term  disruption  caused  by  destroying  the  four  transformers 
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in  Plan  1,  since  it  is  unlikely  those  transformers  could  be  re¬ 
placed  or  repaired  quickly.  We  investigate  this  issue  more  for¬ 
mally  in  Section  III-D. 

We  now  consider  RTS2.  Fig.  4  depicts  the  most  disruptive  at¬ 
tack  plan  found  to  affect  instantaneous  load  shedding  for  M  = 
12.  Here,  2,516  MW  (44.1%  of  total  load)  is  shed.  Thus,  dou¬ 
bling  interdiction  resource  from  M  =  6  in  RTS  1  to  M  =  12 
here  yields  not  quite  twice  the  disruption  (2,516  <  2  x  1,373); 
compare  Fig.  2.  The  RTS2  plan  partially  duplicates  Plan  1  for 
RTSl,  which  seems  sensible  since  the  RTS2  duplicates  RTSl’s 
structure.  Note,  however,  that  one  line  connecting  the  duplicated 
areas  is  also  interdicted. 

D.  Results  Including  Restoration  Over  Time 

A  time-phased  version  of  I-DC-OPF  is  created  by  using  inter¬ 
diction  constructs  to  couple  instances  of  DC-OPF,  one  for  each 
system  state  that  represents  a  stage  or  “time  period”  of  system 
repair.  In  outline,  the  model  is 

T 

(MmO  max  min  Q!t-c^Pt- 

6GA  Pi,r=l,...T^ 

T=1 

s.t.  g.r(PT,^)  <  b,r  =  1,...,T 

Pr>0,r  =  1,...,T. 

Model  (Mm^)  extends  (Mm)  to  incorporate  the  hourly  cost 
of  power  flow,  c^Pt,  in  each  time  period  r,  multiplied  by  the 
period’s  duration  in  hours,  Ur-  The  model  could  be  extended 
to  incorporate  “sub-time  periods”  through  load  duration  curves, 
be  we  have  not  yet  explored  this  possibility;  all  loads  are  held 
constant  over  time.  The  conversion  of  I-ALG  to  solve  (Mm^)  is 
straightforward. 

Data  for  outage  durations  (i.e.,  repair  or  replacement  times) 
are  based  loosely  on  [8].  Outage  duration  for  transformers  is  768 
hours.  For  overhead  lines,  instead  of  the  10  or  11  hours  used  in 
[8],  we  are  more  conservative  and  assume  72  hours.  This  is  jus¬ 
tified  because  (a)  we  expect  more  damage  to  result  from  the  in¬ 
tentional  destruction  of  a  line — this  would  probably  involve  the 
destruction  of  one  or  more  towers  [13] — than  the  average  time 
needed  to  repair  damage  from  common  natural  causes  such  as 
lightning,  and  (b)  if  n  lines  and  other  grid  elements  are  attacked, 
total  repair  time  may  be  longer  if  fewer  than  n  repair  teams  are 
available.  We  also  assume  that  a  large  substation  requires  768 
hours  for  repair,  but  buses,  for  which  [8]  provides  no  data,  re¬ 
quire  360  hours.  These  data  are  summarized  in  Table  1. 

Table  II  presents  results  for  each  time  period  for  attack  Plans 

1  and  2  in  RTSl  (M  =  6).  Immediately  after  the  attack.  Plan 

2  sheds  more  power  (1373  MW)  than  Plan  1  (1258  MW).  But, 
with  power  restoration  over  time  factored  in.  Plan  1  causes  more 
disruption  because  repairs  take  longer  and  more  total  energy  is 
shed. 

As  expected,  the  revised  model  incorporating  outage  dura¬ 
tions  identifies  a  more  disruptive  plan.  Plan  3  (see  Table  II  and 
Fig.  5)  in  terms  of  total  energy  shed,  compared  to  Plans  1  and  2. 
Plan  3  interdicts  the  large  substation,  a  transformer  in  the  other 
substation  (but  without  disconnecting  the  load  associated  with 
the  substation  on  the  left)  and  one  line. 

E.  Identifying  Candidate  Components  for  Hardening 

Our  ultimate  goal  is  to  identify  grid  components  which,  when 
“hardened,”  yield  the  best  improvement  in  system  security.  A 
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Fig.  4.  An  interdiction  plan  (•)  for  RTS2  using  M  =  12.  Total  load  is  5700  MW.  This  plan  sheds  2516  MW. 


TABLE  1 

Repair  and  Interdiction  Data  for  Grid  Components 


Grid 

Inter- 

Resources  M 

Outage 

Component 

dictable 

(#  of  terrorists) 

Duration  (h) 

Lines (overhead) 

YES 

1 

72 

Lines (undergnd) 

NO 

N/A 

N/A 

Transformers 

YES 

2 

768 

Buses 

YES 

3 

360 

Generators 

NO 

N/A 

N/A 

Substations 

YES 

3 

768 

TABLE  II 

Energy  Shed  Until  System  Repair  is  Complete,  for  Three  Attack 
Plans  for  RTS  1 .  Plan  3  is  Superior  Because  it  was  Generated  Through 
(Mm')  Which  Explicitly  Models  Power  Restoration  Over  Time 


Plan 

Time 

Period 

Power 
Shed  (MW) 

Energy 

Shed  (MWh) 

0-72  h 

1,258 

90.576 

1 

72-768  h 

426 

296,496 

Total:  387,072 

2 

0-72  h 

1  1,373 

1  98,856 

Total:  98,856 

0-72  h 

902 

64,944 

3 

72-768  h 

708 

492.768 

Total:  557,712 

transmission  line  like  the  one  attacked  in  Plan  3  would  be  dif¬ 
ficult  or  impossible  to  harden,  although  a  similar  effect  might 
be  achieved  by  adding  redundant  capacity  in  a  new,  separate, 
parallel  corridor.  However,  opening  up  new  corridors  for  power 
lines  is  a  slow,  difficult  and  expensive  process  and  a  more  prac¬ 
tical  alternative  might  be  to  harden  the  two  substations  that  Plan 
3  indicates  are  important.  Indeed,  when  those  two  substations 


Fig.  5.  Interdiction  plans  3  ( (^)  and  4  ( @)  for  RTSl  with  M  =  6  and 
explicit  modeling  of  system  restoration  over  time.  Total  energy  shed  is  557  712 
MWh  for  plan  3.  Plan  4  (attack  to  two  buses)  is  created  assuming  the  two 
substations  attacked  in  plan  3  have  been  rendered  invulnerable.  Total  energy 
shed  drops  to  272  160  MWh. 

are  treated  as  invulnerable,  the  best  attack  plan  found.  Plan  4 
in  Fig.  5,  sheds  only  272  160  MWh  of  electricity  compared  to 
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557  712  MWh  for  Plan  3.  Hardening  a  substation  could  be  ac¬ 
complished  in  a  number  of  ways,  for  example,  by  strengthening 
building  walls  or  by  enclosing  outdoor  facilities. 

The  components  that  are  identified  as  candidates  for  hard¬ 
ening  will  naturally  depend  on  the  assumptions  regarding  M, 
i.e.,  the  terrorists’  assumed  resources.  If  certain  components  ap¬ 
pear  to  be  critical  over  a  wide  range  of  values  for  M,  then  it 
would  be  reasonable  to  focus  on  those  components  for  hard¬ 
ening.  However,  more  research  will  be  required  to  formalize  an 
approach  to  this  problem. 

IV.  Conclusions  and  Future  Work 

In  this  paper  we  have  formulated  the  problem  of  optimal 
interdiction  of  an  electric  power  network  and  have  developed  a 
heuristic  algorithm  to  solve  the  problem.  We  have  demonstrated 
the  algorithm  using  two  RTS  systems  and  have  indicated  how  the 
results  can  be  used  by  planners  to  identify  critical  components 
whose  hardening  will  substantially  improve  system  security. 
Critical  components  are  identified  with  modest  computational 
effort. 

Numerous  issues  remain  for  future  work,  and  they  include: 

•  creating  linear  approximations  of  the  model  (Mm)  having 
the  form 

(LMm)  max  min  c^p 
«GA  p 

s.t.  Ap  <BS 
P  >0 

which  are  amenable  to  exact  solution  methods; 

•  extending  (Mm)  and  (LMm)  to  represent  more  detail  about 
system  restoration  and  unmet  load  over  time; 

•  extending  (Mm)  and  (LMm)  to 

(PLMm)  min  max  minc^p 

V’G'I'  «GA(i/)) 

S.t.  A('ip)p 

P  >0 

where  the  new  level  of  optimization  over  £  It  rep¬ 
resents  protective  measures  to  be  taken  in  advance,  such 
as  hardening  particular  grid  components  as  discussed  in 
Section  III-E.  These  measures  will  reduce  the  ability  of 
terrorists  to  attack  the  grid  through  the  constraints  rep¬ 
resented  by  ^  thereby  improve  post-attack 

power  flows; 

•  incorporating  uncertainty  about  terrorists’  capabilities  into 
our  analysis; 

•  evaluating  different  spare-equipment  policies,  including 
the  use  of  “generic”  transformer  spares  that  could  provide 


adequate,  if  imperfect,  replacements  for  several  types  of 
transformers; 

•  representing  the  immediate  aftermath  of  an  attack,  in¬ 
cluding  cascading  outages  and  the  dynamics  of  voltage 
collapse  and  angular  instability. 
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